639 lines
16 KiB
Plaintext
639 lines
16 KiB
Plaintext
# Instalar Duniter Server en Ubuntu Server 22.04 con Docker
|
|
|
|
## Requerimientos previos
|
|
|
|
* Al menos 2 CPUs y 3 GB de Ram, mejor 4 CPUs y 4 GB de Ram.
|
|
* Un VPS recien instalado, si sabes lo que haces, puede ser uno existente.
|
|
* Una IP pública.
|
|
* Un dominio o subdominio ya apuntando a tu IP, procura hacerlo un par de horas antes para que se propague correctamente. Si no tienes un subdominio para tu nodo, puedes pedirme uno.
|
|
* Un correo electrónico para configurar Let's Encrypt
|
|
|
|
Vamos a hacer una instalación completa, es decir, con todos los pasos necesarios para que, tal vez, incluso gente con conocimientos básicos pueda seguir la guía.
|
|
|
|
A menos que sepas lo que haces, no continues si obtienes un error en algún comando, es mejor que me consultes acerca de dicho error.
|
|
|
|
|
|
## Configuración inicial del servidor.
|
|
|
|
* Conectarse al servidor, en general al instalar te dan acceso al puerto predeterminado que es el 22.
|
|
|
|
```
|
|
ssh -p22 root@IP_DEL_SERVIDOR
|
|
```
|
|
|
|
* Cambia la contraseña predeterminada, siempre es mejor usar un administrador de contraseñas.
|
|
|
|
```
|
|
passwd
|
|
|
|
New password:
|
|
Retype new password:
|
|
passwd: password updated successfully
|
|
```
|
|
|
|
* Agrega un nuevo usuario, reemplaza USER por tu usuario.
|
|
|
|
```
|
|
adduser USER
|
|
```
|
|
|
|
* Agrega el usuario al grupo "sudo".
|
|
|
|
```
|
|
gpasswd -a USER sudo
|
|
```
|
|
|
|
* Cambia el puerto predeterminado del servidor SSH
|
|
|
|
```
|
|
vim /etc/ssh/sshd_config
|
|
```
|
|
|
|
* Y reinicia el servicio.
|
|
|
|
```
|
|
systemctl restart ssh
|
|
```
|
|
|
|
* Sal de servidor.
|
|
|
|
```
|
|
CTRL+D
|
|
```
|
|
|
|
## Generar certificado y subir al servidor
|
|
|
|
* Genera un nuevo certificado si no tienes. Usa tu correo o algún otro comentario.
|
|
|
|
```
|
|
ssh-keygen -t ed25519 -C "usuario@correo.com"
|
|
|
|
Enter file in which to save the key (/home/mau/.ssh/id_ed25519):
|
|
Enter passphrase (empty for no passphrase):
|
|
Enter same passphrase again:
|
|
Your identification has been saved in /home/mau/.ssh/id_ed25519
|
|
Your public key has been saved in /home/mau/.ssh/id_ed25519.pub
|
|
The key fingerprint is:
|
|
SHA256:5CyKdofJghHDV7EhP3CrxmWC6++ybssCzZBrsNk+K58 usuario@correo.com
|
|
The key's randomart image is:
|
|
+--[ED25519 256]--+
|
|
| o =. |
|
|
|. . * + |
|
|
|o+ o B . |
|
|
|+o+ = .+ |
|
|
|oX + . S |
|
|
|*+=o + . |
|
|
|+o+ * . |
|
|
|++++ . |
|
|
|+BE= |
|
|
+----[SHA256]-----+
|
|
```
|
|
|
|
* Copiamos el certificado publico al servidor.
|
|
|
|
```
|
|
ssh-copy-id -i .ssh/id_ed25519.pub USER@IP_DEL_SERVIDOR
|
|
|
|
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: ".ssh/id_ed25519.pub"
|
|
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
|
|
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
|
|
user@IP_DEL_SERVIDOR's password:
|
|
|
|
Number of key(s) added: 1
|
|
|
|
Now try logging into the machine, with: "ssh 'IP_DEL_SERVIDOR'"
|
|
and check to make sure that only the key(s) you wanted were added.
|
|
```
|
|
|
|
* Ahora deberías poder conectarte sin contraseña.
|
|
|
|
```
|
|
ssh user@IP_DEL_SERVIDOR
|
|
```
|
|
|
|
## Continuación de la configuración del servidor
|
|
|
|
* Valida que eres sudo poniendo al día el servidor.
|
|
|
|
```
|
|
sudo apt update
|
|
|
|
sudo apt upgrade
|
|
|
|
Reading package lists... Done
|
|
Building dependency tree... Done
|
|
Reading state information... Done
|
|
Calculating upgrade... Done
|
|
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
|
|
```
|
|
|
|
* Ponemos bonito el prompt del shell
|
|
|
|
```
|
|
nano .bashrc
|
|
```
|
|
|
|
* Agregamos al final del archivo.
|
|
|
|
```
|
|
PS1="┌─[\e[0;32m\H\e[m][\e[1;31m\u\e[m]->{\[\e[34;1m\]\w\[\e[0;1m\]}\n└──> \[\e[0m\]"
|
|
```
|
|
|
|
* Guardamos (CTRL+O) y salimos (CTRL+X)
|
|
|
|
* Activamos los cambios.
|
|
|
|
```
|
|
source .bashrc
|
|
```
|
|
|
|
* Establecemos el hostname con tu dominio, veras el cambio hasta volver a identificarte.
|
|
|
|
```
|
|
sudo hostnamectl set-hostname DOMINIO
|
|
```
|
|
|
|
* Editamos el archivo
|
|
|
|
```
|
|
sudo nano /etc/hosts
|
|
|
|
127.0.0.1 DOMINIO localhost
|
|
```
|
|
|
|
* Establecemos el uso horario, puedes usar el predeterminado sin problemas que es UTC.
|
|
|
|
```
|
|
sudo timedatectl set-timezone America/Mexico_City
|
|
```
|
|
|
|
* Establecemos locales
|
|
|
|
```
|
|
sudo localectl set-locale LANG=en_US.UTF-8 LANGUAGE="en_US:en"
|
|
```
|
|
|
|
* Agregamos las variables de entorno al archivo.
|
|
|
|
```
|
|
sudo nano /etc/environment
|
|
|
|
LANG=en_US.UTF-8
|
|
LC_ALL=en_US.UTF-8
|
|
```
|
|
|
|
* Regeneramos locales
|
|
|
|
```
|
|
sudo dpkg-reconfigure locales
|
|
|
|
Generating locales (this might take a while)...
|
|
en_US.UTF-8... done
|
|
Generation complete.
|
|
```
|
|
|
|
* Configuramos el servidor SSH
|
|
|
|
Mejoramos la seguridad del servidor SSH, *CUIDADO*, una mala configuración de este archivo puede dejarte sin acceso al servidor, revisa todo muy bien varias veces.
|
|
|
|
Dado que solo permitiremos el acceso a tu usuario, ASEGURATE de reemplazar USER por tu usuario, si no lo haces y reinicias el servicio, te quedaras sin acceso al servidor. Toma nota que también estamos desactivamente el acceso a "root" y desactivando el acceso por contraseña, esto quiere decir que solo podrás acceder con los certificados configurados anteriormente. CUIDADO con este paso.
|
|
|
|
```
|
|
sudo nano /etc/ssh/sshd_config
|
|
|
|
Port 2274
|
|
AllowUsers USER
|
|
PermitRootLogin no
|
|
LoginGraceTime 1m
|
|
ClientAliveInterval 600
|
|
ClientAliveCountMax 0
|
|
MaxAuthTries 3
|
|
IgnoreRhosts yes
|
|
PermitEmptyPasswords no
|
|
PasswordAuthentication no
|
|
LogLevel INFO
|
|
```
|
|
|
|
* Reinicimos el servicio, asegurate que todo este bien.
|
|
|
|
```
|
|
sudo systemctl restart ssh
|
|
```
|
|
|
|
* Sal del servidor y vuelve a entrar para validar que todo esta bien.
|
|
|
|
* Desactivamos los mensajes de Ubuntu al entrar
|
|
|
|
```
|
|
sudo chmod -x /etc/update-motd.d/50-motd-news
|
|
sudo chmod -x /etc/update-motd.d/00-header
|
|
sudo chmod -x /etc/update-motd.d/10-help-text
|
|
```
|
|
|
|
## Instalar certbot
|
|
|
|
```
|
|
sudo apt install certbot
|
|
```
|
|
|
|
* Nos registramos, reemplaza EMAIL por tu correo electrónico.
|
|
|
|
```
|
|
sudo certbot register --agree-tos -m EMAIL
|
|
|
|
Saving debug log to /var/log/letsencrypt/letsencrypt.log
|
|
|
|
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
|
|
Would you be willing, once your first certificate is successfully issued, to
|
|
share your email address with the Electronic Frontier Foundation, a founding
|
|
partner of the Let's Encrypt project and the non-profit organization that
|
|
develops Certbot? We'd like to send you email about our work encrypting the web,
|
|
EFF news, campaigns, and ways to support digital freedom.
|
|
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
|
|
(Y)es/(N)o: Y
|
|
Account registered.
|
|
```
|
|
|
|
* Solicitamos el certificado para nuestro DOMINIO. Si no esta registrada correctamente la entrada en los DNS de tu proveedor de dominio aputando a la IP de tu servidor, NO podrás obtener tu certificado con este método.
|
|
|
|
```
|
|
sudo certbot certonly --standalone --preferred-challenges http-01 -d DOMINIO
|
|
|
|
Saving debug log to /var/log/letsencrypt/letsencrypt.log
|
|
Requesting a certificate for juna.g1server.net
|
|
|
|
Successfully received certificate.
|
|
Certificate is saved at: /etc/letsencrypt/live/juna.g1server.net/fullchain.pem
|
|
Key is saved at: /etc/letsencrypt/live/juna.g1server.net/privkey.pem
|
|
This certificate expires on 2022-07-28.
|
|
These files will be updated when the certificate renews.
|
|
Certbot has set up a scheduled task to automatically renew this certificate in the background.
|
|
We were unable to subscribe you the EFF mailing list because your e-mail address appears to be invalid. You can try again later by visiting https://act.eff.org.
|
|
|
|
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
|
|
If you like Certbot, please consider supporting our work by:
|
|
* Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
|
|
* Donating to EFF: https://eff.org/donate-le
|
|
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
|
|
```
|
|
|
|
* Toma nota de la ubicación de tus certificados.
|
|
|
|
```
|
|
/etc/letsencrypt/live/juna.g1server.net/fullchain.pem
|
|
/etc/letsencrypt/live/juna.g1server.net/privkey.pem
|
|
```
|
|
|
|
* Generamos el archivo ssl-dhparams.pem
|
|
|
|
```
|
|
sudo openssl dhparam -dsaparam -out /etc/letsencrypt/ssl-dhparams.pem 4096
|
|
|
|
Generating DSA parameters, 4096 bit long prime
|
|
...
|
|
.........+++++++++++++++++++++++++++++++++++*
|
|
```
|
|
|
|
* Creamos el archivo options-ssl-nginx.conf
|
|
|
|
```
|
|
sudo nano /etc/letsencrypt/options-ssl-nginx.conf
|
|
```
|
|
|
|
* Con este contenido
|
|
|
|
```
|
|
ssl_session_cache shared:le_nginx_SSL:10m;
|
|
ssl_session_timeout 1440m;
|
|
|
|
ssl_protocols TLSv1.2 TLSv1.3;
|
|
ssl_prefer_server_ciphers on;
|
|
|
|
ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA38";
|
|
|
|
add_header Strict-Transport-Security "max-age=63072000; preload";
|
|
add_header X-Frame-Options "SAMEORIGIN";
|
|
add_header X-Content-Type-Options nosniff;
|
|
add_header X-XSS-Protection "1; mode=block";
|
|
add_header Permissions-Policy interest-cohort=();
|
|
```
|
|
|
|
* Creamos el archivo: certbot.conf
|
|
|
|
```
|
|
sudo nano /etc/letsencrypt/certbot.conf
|
|
```
|
|
|
|
* Con este contenido. Asegurate de usar las rutas correctas a los certificados anotadas en los pasos anteriores.
|
|
|
|
```
|
|
ssl_certificate /etc/letsencrypt/live/DOMAIN/fullchain.pem;
|
|
ssl_certificate_key /etc/letsencrypt/live/DOMAIN/privkey.pem;
|
|
include /etc/letsencrypt/options-ssl-nginx.conf;
|
|
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
|
|
```
|
|
|
|
## Instalar Docker
|
|
|
|
```
|
|
sudo apt install docker.io
|
|
```
|
|
|
|
* Verifica que este corriendo el servicio.
|
|
|
|
```
|
|
sudo systemctl status docker
|
|
|
|
● docker.service - Docker Application Container Engine
|
|
Loaded: loaded (/lib/systemd/system/docker.service; enabled; vendor preset: enabled)
|
|
Active: active (running) since Fri 2022-04-29 18:58:07 CDT; 1min 29s ago
|
|
TriggeredBy: ● docker.socket
|
|
Docs: https://docs.docker.com
|
|
Main PID: 770 (dockerd)
|
|
Tasks: 9
|
|
Memory: 102.1M
|
|
CPU: 374ms
|
|
CGroup: /system.slice/docker.service
|
|
└─770 /usr/bin/dockerd -H fd:// --containerd=/run/containerd/containerd.sock
|
|
```
|
|
|
|
* Nos agregamos al grupo "docker" para no necesitar sudo.
|
|
|
|
```
|
|
sudo usermod -aG docker $USER
|
|
```
|
|
|
|
* Sal y vuelve a identificarte en el servidor para que surta efecto el cambi.
|
|
|
|
|
|
## Instalamos Duniter
|
|
|
|
* Obtenemos la imagen con la última versión
|
|
|
|
```
|
|
docker pull duniter/duniter
|
|
|
|
Using default tag: latest
|
|
latest: Pulling from duniter/duniter
|
|
ddad3d7c1e96: Pull complete
|
|
de915e575d22: Pull complete
|
|
7150aa69525b: Pull complete
|
|
d7aa47be044e: Pull complete
|
|
72276961de3c: Pull complete
|
|
8a041b0e5a8a: Pull complete
|
|
66fb88d067ec: Pull complete
|
|
6ee9ba523072: Pull complete
|
|
Digest: sha256:c5ef0393f2efedb55052d06a2d43c7a9f65cfaabae72c8cae86b5010c62eb428
|
|
Status: Downloaded newer image for duniter/duniter:latest
|
|
docker.io/duniter/duniter:latest
|
|
```
|
|
|
|
* Ejecutamos
|
|
|
|
```
|
|
docker run -d -p127.0.0.1:9220:9220 -p10901:10901 -p20901:20901 --mount type=volume,src=duniter-db,dst=/var/lib/duniter --name duniter duniter/duniter
|
|
|
|
docker run -d -p127.0.0.1:9220:9220 -p127.0.0.1:10901:10901 -p127.0.0.1:20901:20901 --mount type=volume,src=duniter-db,dst=/var/lib/duniter --name duniter duniter/duniter
|
|
|
|
3521dec590f46b4265b0dba7243b925f1c3bd8f8d0a32ac43a0f479d94145bf4
|
|
```
|
|
|
|
* Inicializamos la configuración.
|
|
|
|
```
|
|
docker exec -it duniter duniter config
|
|
|
|
2022-04-29T03:46:39+00:00 - debug: Plugging file system...
|
|
2022-04-29T03:46:39+00:00 - debug: Loading conf...
|
|
2022-04-29T03:46:39+00:00 - debug: Configuration saved.
|
|
```
|
|
|
|
* Establecer tus claves Cesium
|
|
|
|
Este paso es necesario para establecer tus credenciales de acceso a Cesium cuando se es miembro de la red de confianza y permite escribir en la cadena de bloques. Si no eres miembro el nodo será solo espejo.
|
|
|
|
```
|
|
docker exec -it duniter duniter wizard key
|
|
|
|
2022-04-29T03:49:30+00:00 - debug: Plugging file system...
|
|
2022-04-29T03:49:30+00:00 - debug: Loading conf...
|
|
2022-04-29T03:49:30+00:00 - debug: Configuration saved.
|
|
? This node's current public key is: Gfhjon3nBAzPTEUdsQTLMqEZBKHkVtn49kjGtCqu2XVb
|
|
Modify your keypair? Yes
|
|
? Key's salt [hidden]
|
|
? Key's password [hidden]
|
|
2022-04-29T03:49:54+00:00 - debug: Configuration saved.
|
|
```
|
|
|
|
* Configuramos la red.
|
|
|
|
El asistente debería mostrarte correctamente tu IP pública, usa las teclas de dirección para seleccionarla.
|
|
|
|
```
|
|
docker exec -it duniter duniter wizard network
|
|
|
|
2022-04-29T03:51:28+00:00 - debug: Plugging file system...
|
|
2022-04-29T03:51:28+00:00 - debug: Loading conf...
|
|
2022-04-29T03:51:28+00:00 - debug: Configuration saved.
|
|
? IPv4 interface lo 127.0.0.1
|
|
? IPv6 interface None
|
|
? Port 10901
|
|
? Remote IPv4 eth0 IP_PUBLICA
|
|
? Remote port 443
|
|
? Does this server has a DNS name? Yes
|
|
? DNS name: g1.cuates.net
|
|
2022-04-29T03:52:37+00:00 - debug: Configuration saved.
|
|
```
|
|
|
|
* Activamos BMA
|
|
|
|
```
|
|
docker exec -it duniter duniter config --addep "BMAS duniter.g1server.net 443"
|
|
|
|
2022-04-29T03:56:14+00:00 - debug: Plugging file system...
|
|
2022-04-29T03:56:14+00:00 - debug: Loading conf...
|
|
2022-04-29T03:56:14+00:00 - debug: Configuration saved.
|
|
```
|
|
|
|
* Activamos WS2P
|
|
|
|
```
|
|
docker exec -it duniter duniter config --ws2p-remote-host duniter.g1server.net
|
|
|
|
2022-04-29T03:57:12+00:00 - debug: Plugging file system...
|
|
2022-04-29T03:57:12+00:00 - debug: Loading conf...
|
|
2022-04-29T03:57:12+00:00 - debug: Configuration saved.
|
|
```
|
|
|
|
* Configuramos WS2P
|
|
|
|
```
|
|
docker exec -it duniter duniter config --ws2p-public --ws2p-noupnp --ws2p-port 20901 --ws2p-host 127.0.0.1 --ws2p-remote-port 443 --ws2p-remote-host duniter.g1server.net --ws2p-remote-path "/ws2p"
|
|
|
|
2022-04-29T03:58:53+00:00 - debug: Plugging file system...
|
|
2022-04-29T03:58:53+00:00 - debug: Loading conf...
|
|
2022-04-29T03:58:53+00:00 - debug: Configuration saved.
|
|
```
|
|
|
|
* Sincronizamos la cadena de bloques.
|
|
|
|
Dependiendo de la velocidad de la conexión en tu VPS y de la de escritura en su disco, el proceso puede durar entre 1 y 3 horas.
|
|
|
|
```
|
|
docker exec -it duniter duniter sync g1.duniter.org:443
|
|
|
|
Progress:
|
|
|
|
Milestones: [||||||||||||||||||||] 100 %
|
|
Download: [||||||||||||||||||||] 100 %
|
|
Apply: [||||||||||||||||||||] 100 %
|
|
Sandbox: [ ] 0 %
|
|
Peers: [||||||||||||||||||||] 100 %
|
|
|
|
Status: Peer TENGx7WtzFsTXwnbrPEvb6odX2WnqYcnnrjiiLvp1mS
|
|
All done in 5348.704 seconds.
|
|
```
|
|
|
|
## Instalar y configurar Nginx
|
|
|
|
```
|
|
sudo apt install nginx
|
|
```
|
|
|
|
* Editar el archivo nginx.conf
|
|
|
|
```
|
|
sudo nano /etc/nginx/nginx.conf
|
|
```
|
|
|
|
* Con este contenido
|
|
|
|
```
|
|
user www-data;
|
|
worker_processes auto;
|
|
worker_rlimit_nofile 20480;
|
|
pid /run/nginx.pid;
|
|
|
|
error_log /var/log/nginx/error.log warn;
|
|
|
|
events {
|
|
worker_connections 5120;
|
|
}
|
|
|
|
http {
|
|
include /etc/nginx/mime.types;
|
|
default_type application/octet-stream;
|
|
|
|
server_tokens off;
|
|
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
|
|
'$status $body_bytes_sent "$http_referer" '
|
|
'"$http_user_agent" "$http_x_forwarded_for"';
|
|
|
|
access_log /var/log/nginx/access.log main;
|
|
|
|
sendfile on;
|
|
|
|
keepalive_timeout 65;
|
|
|
|
include /etc/nginx/sites-enabled/*.conf;
|
|
|
|
disable_symlinks off;
|
|
|
|
client_max_body_size 50m;
|
|
}
|
|
```
|
|
|
|
* Borramos el archivo predeterminado
|
|
|
|
```
|
|
sudo rm /etc/nginx/sites-enabled/default
|
|
```
|
|
|
|
* Agregamos el archivo
|
|
|
|
```
|
|
sudo nano /etc/nginx/sites-available/DOMINIO.conf
|
|
```
|
|
|
|
* Con este contenido
|
|
|
|
Reemplaza DOMINIO por tu dominio real.
|
|
|
|
```
|
|
server {
|
|
listen 443 ssl http2;
|
|
server_name DOMINIO;
|
|
|
|
include /etc/letsencrypt/certbot.conf;
|
|
proxy_set_header X-Forwarded-For $remote_addr;
|
|
server_tokens off;
|
|
|
|
access_log /var/log/nginx/DOMINIO.access.log;
|
|
error_log /var/log/nginx/DOMINIO.error.log;
|
|
|
|
location / {
|
|
proxy_pass http://127.0.0.1:10901;
|
|
proxy_http_version 1.1;
|
|
proxy_set_header Upgrade $http_upgrade;
|
|
proxy_set_header Connection 'upgrade';
|
|
proxy_set_header Host $host;
|
|
proxy_cache_bypass $http_upgrade;
|
|
}
|
|
|
|
location /ws2p {
|
|
proxy_pass http://127.0.0.1:20901;
|
|
proxy_http_version 1.1;
|
|
proxy_set_header Upgrade $http_upgrade;
|
|
proxy_set_header Connection "upgrade";
|
|
}
|
|
}
|
|
```
|
|
|
|
* Creamos el siguiente vínculos simbolico.
|
|
|
|
```
|
|
sudo ln -s /etc/nginx/sites-available/DOMINIO.conf /etc/nginx/sites-enabled/
|
|
```
|
|
|
|
* Probamos la configuración
|
|
|
|
```
|
|
sudo nginx -t
|
|
|
|
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
|
|
nginx: configuration file /etc/nginx/nginx.conf test is successful
|
|
```
|
|
|
|
* Reiniciamos el servicio
|
|
|
|
```
|
|
sudo systemctl restart nginx
|
|
```
|
|
|
|
|
|
## Reinicar nodo
|
|
|
|
```
|
|
docker stop duniter
|
|
docker start duniter
|
|
```
|
|
|
|
## Comprobando
|
|
|
|
Si accedes a tu dominio
|
|
https://duniter.g1server.net/#/app/network
|
|
|
|
deberías de obtener un json con la versión del server
|
|
|
|
```
|
|
{
|
|
"duniter": {
|
|
"software": "duniter",
|
|
"version": "1.8.2",
|
|
"forkWindowSize": 100
|
|
}
|
|
}
|
|
```
|
|
|
|
Si lo ves en la lista de nodos en Cesium, felicidades.
|